DOD's open challenge

Defense Department officials have made clear their interest in moving toward open technologies ' and some programs already make use of open source ' but the department has yet to refine policies or procedures that would take DOD in that direction. And this lack of top-down guidance could keep the department from fully using the advantages of open-source software, experts said.

A road map for the adoption of open technologies was released last year by the Deputy Undersecretary of Defense for Advanced Systems and Concepts (AS&C) office. That paper proposed adopting open-source infrastructure and technologies and applying open source to collaborative technologies being implemented by DOD.

Open technologies provide two related advantages over their proprietary alternatives, advocates say. They reduce the cost of software development and they reduce the time in which innovations in software can be incorporated in systems.

'If the project is of a sufficient scale, you cannot get there without an open-source approach,' said Dewey Houck, a senior engineer at Boeing, who spoke at a conference last month about DOD's use of open source, sponsored by the Association for Enterprise Integration.

'On the battlefield, the enemy gets a vote,' said Brig. Gen. Nickolas Justice, Army program executive officer for command, control and communications tactical. 'The software has to change if the business changes. We want young sergeants and captains to be able to change things in their battle command applications as conditions change.'

Success stories

Despite the lack of formal guidance, open source may have already proliferated in DOD.

Last year, AS&C surveyed DOD shops and found more open-source software use than expected. A more recent study conducted by the Federal Open Source Alliance confirmed these findings, with 55 percent of federal information technology leaders surveyed ' including DOD agencies ' saying they have been or are involved in open-source implementations.

Linux is being deployed as the operating system for Future Combat Systems, Houck said, and other open technologies are being incorporated in FCS' System of Systems Common Operating Environment (SOSCOE).

'This means that under FCS, brigade-level activities will be almost completely supported by open technologies,' Houck said. 'In addition, there are proprietary components.'

The Multinational Information Sharing Initiative (MISI), part of Operation Enduring Freedom- Trans Sahara, is designed to enable collaboration among DOD, the State Department and the African nations participating in the program.

'MISI is completely open source,' said Bernard Golden, chief executive officer of Navica, a system integrator. 'DOD is considering distribution of the source code to the participating African nations.' DOD engaged Navica to work with the MISI project team to implement open-source governance.

Open source also benefits businesses that deal with DOD. 'We used open source to build the next-generation BI system,' said Andre Boisvert, CEO of Pentaho, a business intelligence software company.

The Naval Air Systems Command has deployed the Pentaho Open BI Suite within its Military Flight Operations Quality Assurance Program, a knowledge management process that uses flight data to provide information on crew and aircraft performance, Boisvert noted. The Defense Information Systems Agency installed a Pentaho reporting and analysis tool as part of its Joint Operation Planning and Execution System to analyze equipment and troop deployment, scheduling, and logistics.

The lack of a highly developed and widely recognized governance regime for open source is one of the factors preventing a wholesale, top-down adoption of the concept at DOD, according to Justice. The general is a leading advocate within DOD for the adoption of open-source technologies.

Acquisition officials are wary of the security of open-source products as well as the level of maintenance they require, Justice said. They also wonder whether DOD personnel have the requisite skills to successfully implement open-source technologies and whether the department can move from a culture of complete control over software to one in which the technology is shared.

Nick Guertin, of the Navy's Program Executive Office for Integrated Warfare Systems, said government leaders need to be educated about the advantages of using open source. 'The acquisition process has to catch up with where things are,' he said.

In order to take full advantage of open-source software, DOD officials may need to rethink procurement, said Fritz Schulz, who works in the chief technology office of the Defense Information Systems Agency. Fritz spoke at the Red Hat Users and Developers Conference recently in Washington.

'The procurement process itself needs to be modified,' he said. 'There are a couple of aspects that relate to the nuts and bolts of acquisition that need to be addressed. Those things are just coming into focus now.'

Although current policies adequately accommodate open-source acquisition, the requirements for software should be executed differently, 'to allow for proper consideration of open source,' he said.

Security issues

Security presents another challenge for open-source users. Government users need to be aware of the potential security vulnerabilities in open-source code, industry experts say.

As much as 30 percent to 50 percent of the code in new commercial software products may have originated in open-source programs, said Mark Tolliver, chief executive officer at Palamida, a company that specializes in analyzing commercial software for elements of open-source code and any potential vulnerabilities.

Last month Palamida released a list of the top five overlooked open-source security vulnerabilities that it encountered in 2007, as well as available fixes (GCN.com/901).

The identified vulnerabilities shouldn't discourage users from using any of the products, Palamida said, although they should make sure they're using the latest and most stable version of all software and implement the patches that are available to correct all five of the top vulnerabilities.